Ubuntu16.04搭建IKEv2 VPN

第一步: 安装

1.安装StrongSwan

apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam

2.安装iptables-persistent

sudo apt-get install iptables-persistent

第二步:创建自签CA证书

1.建立工作目录

mkdir vpn-certs

cdvpn-certs

2.生成自签CA证书私钥

ipsec pki --gen --type rsa --size 4096 --outform pem>server-root-key.pem

chmod 600 server-root-key.pem

3.生成自签CA证书

ipsec pki --self --ca --lifetime 3650 \

--in server-root-key.pem \

--type rsa --dn"C=US, O=VPN Server, CN=VPN Server Root CA"\

--outform pem>server-root-ca.pem

4.为服务器生成自签证书私钥

ipsec pki --gen --type rsa --size 4096 --outform pem>vpn-server-key.pem

5.为服务器生成自签证书;注意其中CN可以改成服务器ip地址或者域名,但是其中C和O必须要CA证书匹配

ipsec pki --pub --in vpn-server-key.pem \

--type rsa|ipsec pki --issue --lifetime 1825 \

--cacert server-root-ca.pem \

--cakey server-root-key.pem \

--dn"C=US, O=VPN Server, CN=server_name_or_ip"\

--san server_name_or_ip \

--flag serverAuth --flag ikeIntermediate \

--outform pem>vpn-server-cert.pem

注意:其中—san和server_name_or_ip保持一致即可,此参数可以添加多个

6.将服务器证书复制到StrongSwan证书位置,并更改权限

sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem

sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem

sudo chown root /etc/ipsec.d/private/vpn-server-key.pem

sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem

sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem

第三步:配置strongswan

1.备份strongswan原始配置文件

sudo cp /etc/ipsec.conf /etc/ipsec.conf.original

2.创建空白strongswan配置文件

echo''|sudo tee /etc/ipsec.conf

3.打开strongswan配置文件

vi /etc/ipsec.conf

4.编辑/etc/ipsec.conf文件如下内容

config setup

charondebug="ike 1, knl 1, cfg 0"

uniqueids=no

conn ios_ikev2

keyexchange=ikev2

ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!

esp=aes256-sha256,3des-sha1,aes256-sha1!

rekey=no

left=%any

leftid=@server_name_or_ip

leftsendcert=always

leftsubnet=0.0.0.0/0

leftdns=8.8.8.8,8.8.4.4

leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem

right=%any

rightauth=eap-mschapv2

rightsourceip=10.10.10.0/24

rightdns=8.8.8.8,8.8.4.4

rightsendcert=never

eap_identity=%identity

dpdaction=clear

fragmentation=yes

auto=add

其中注意leftid:为域名是需要添加“@”在域名:

比如:

leftid=@vpn.example.com

为ip时如下列子:

leftid=111.111.111.111

第四步:配置VPN授权文件

1.打开ipsec.secrets文件

/etc/ipsec.secrets

2.写入如下配置

server_name_or_ip:RSA"/etc/ipsec.d/private/vpn-server-key.pem"

your_username %any%:EAP"your_password"

注意:其中参数server_name_or_ip变更服务器ip或者域名;your_username变更为账户;your_password变更为密码;双引号要带上

3.重新加载ipsec

ipsec reload

第五步:配置iptables

1.情况iptabels默认规则,如果有

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

iptables -Z

2.放开ssh 22端口

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

3.放开本地回路

sudo iptables -A INPUT -i lo -j ACCEPT

4.放开ipsec链接

sudo iptables -A INPUT -p udp --dport  500 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

5.转发ESP (Encapsulating Security Payload) 流量链接

sudo iptables -A FORWARD --match policy --pol ipsec --dirin--proto esp -s 10.10.10.10/24 -j ACCEPT

sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.10/24 -j ACCEPT

6.最重要一步了,转发流量(修改SNAT)

sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -j MASQUERADE

注意:其中eth0要改成出口网卡

7.放开链接状态的链接,具体state(我也不是很懂)

sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dirin-s 10.10.10.10/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

8.拒绝其他流量(可以不用)

sudo iptables -A INPUT -j DROP

sudo iptables -A FORWARD -j DROP

注意:如果服务器还开启其他服务会导致其他服务不可用,自己根据情况添加

9.使用netfilter-persistent保存规则和重新加载(防止机器重启iptables规则丢失)

sudo netfilter-persistent save

sudo netfilter-persistent reload

第六步:开启内核转发(不然链接VPN服务器而不能翻墙)

1.打开/etc/sysctl.conf文件

vi /etc/sysctl.conf

2.修改如下内容:

net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.ip_no_pmtu_disc = 1

3.重启

sudo reboot

第七步:连接VPN

1.windows、ios、mac导致CA证书(导致这个vpn_root_certificate.pem)

此步骤省略,请自行百度。

2.连接注意选择IKEv2协议,另外服务器远程ID填写一致,另外本地ID随意,账户和密码为ipsec.secrets文件中your_usernameyour_password配置

注意:

第八步:问题诊断

1.ipsec日志地址:

tail -f /var/log/syslog

2.另外可能因为strongswan插件没有装好导致不支持eap-mschapv2验证协议,请通过如下确认是否

ipsec statusall

返回如下:(注意其中loaded plugins中是否有eap-mschapv2)

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-81-generic, x86_64):

uptime: 3 days, since Jun 22 22:58:56 2017

malloc: sbrk 2158592, mmap 532480, used 1022368, free 1136224

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0

loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity

Virtual IP pools (size/online/offline):

10.10.10.0/24: 254/0/1

Listening IP addresses:

172.21.146.14

172.17.0.1

Connections:

ios_ikev2:  %any...%any  IKEv2, dpddelay=30s

ios_ikev2:  local:  [server_name_or_ip] uses public key authentication

ios_ikev2:    cert:"C=US, O=VPN Server, CN=server_name_or_ip"

ios_ikev2:  remote: uses EAP_MSCHAPV2 authentication with EAP identity'%any'

ios_ikev2:  child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear

Security Associations (0 up, 0 connecting):

none

经验证以上方法完美支持windows10、ios10、mac10.12系统

评论 在此处输入想要评论的文本。

标题和URL已复制